SSH into an Ubuntu VPS (Docker) for a read-only health/security/update report (UFW + fail2ban) and propose fixes; apply updates/restarts only with explicit confirmation. Use when the user wants a read-only VPS health/security check.
Install via CLI
Skills Directoryopenskills install jMerta/codex-skills---
name: vps-checkup
description: "SSH into an Ubuntu VPS (Docker) for a read-only health/security/update report (UFW + fail2ban) and propose fixes; apply updates/restarts only with explicit confirmation. Use when the user wants a read-only VPS health/security check."
---
# VPS checkup (Ubuntu + Docker)
## Goal
- Produce a clear, read-only health/security/update report for an Ubuntu VPS running Docker.
- Propose safe, minimal fixes; do not apply changes or restart anything unless the user explicitly confirms.
## Inputs to ask for (if missing)
- SSH target host alias (from `~/.ssh/config` on Windows: `$HOME\\.ssh\\config`) or `user@ip`.
- Confirm `sudo` access and whether running `apt update` is allowed (it modifies package lists).
- Required open ports (e.g., `22`, `80`, `443`) and any non-standard SSH port.
- Where deployments live: confirm if Docker Compose is used on the VPS (common), and whether compose files are in a known path.
- If the local `ssh` client or required tools are missing, tell the user and ask whether to install them or provide command output manually.
## Workflow (checklist)
1) Connect safely
- Keep a second SSH session open before any SSH/firewall changes.
- Record identity/time/host: `whoami`, `hostname -f`, `date -Is`, `uptime`.
2) Collect a read-only baseline (system)
- OS/kernel: `lsb_release -a` (or `cat /etc/os-release`), `uname -a`.
- CPU/mem/disk: `top` snapshot, `free -h`, `df -hT`, `lsblk`.
- Services: `systemctl --failed`, `journalctl -p 3 -xb --no-pager` (use `sudo` if needed).
3) Check security posture (read-only)
- SSH: prefer `sudo sshd -T` (fallback to `sudo cat /etc/ssh/sshd_config` + `sshd_config.d/`).
- Firewall: `sudo ufw status verbose` (and `sudo ufw status numbered`).
- Fail2ban: `sudo fail2ban-client status` (+ `status sshd` if present).
- Listening ports: `ss -tulpn` (use `sudo` if needed).
4) Check update posture (read-only by default)
- If user allows: run `sudo apt update` to ensure accurate results.
- Then collect: `apt list --upgradable`, `ubuntu-security-status` (if available), and `/var/run/reboot-required` presence.
- Check unattended upgrades: `systemctl status unattended-upgrades --no-pager` and `/var/log/unattended-upgrades/`.
5) Check Docker health (read-only)
- Daemon status: `systemctl status docker --no-pager`, `docker info`.
- Containers: `docker ps`, unhealthy/restarting containers, recent restarts, and `docker stats --no-stream`.
- Disk usage: `docker system df` and large log growth indicators.
- Compose overview: `docker compose ls` (then inspect key projects as needed).
6) Produce the report + recommendations
- Use `references/report-template.md`.
- Use `references/ubuntu-docker-checkup-commands.md` for a copy/paste command set.
- Rank findings by severity and explicitly list what requires confirmation (updates, firewall changes, SSH changes, restarts, pruning, reboot).
7) Apply fixes (ONLY with explicit confirmation)
- Do not run `apt upgrade`, change UFW rules, change SSH auth, prune Docker, restart services/containers, or reboot unless the user says to.
## Safety gates (non-negotiable)
- No restarts (Docker/system services) unless the user explicitly asks for restart.
- No SSH/firewall changes unless you have a backup access path (second session open) and the user confirms the plan.
- Never paste secrets (tokens, private keys) into chat or logs.
## Deliverable
Provide:
- A read-only report using `references/report-template.md`.
- A prioritized list of recommended fixes and which ones require explicit confirmation.
- The exact commands run (or requested if the user ran them manually).
No comments yet. Be the first to comment!